—-IPSEC
Neogiation protocol – AH,ESP,ESP + AH //which IPSEC encyption,authenication,proteection used
encryption – DES, 3DES, AES, RSA, DH //scramble data
Authenication – MD5, SHA1 //makes sure keys go to person X.
Protection – DH1,2,5,7
—-2 modes of VPN
Transport – Can be used on the internal LAN environment to encrypt traffic.
traffic layer 4 + Over is encrypted. Only the Ip and MAC is not encrypted.
tunnel mode – Used across WAN links, the whole packet is encrypted.
A new ip and MAC is added to the packet, at the receiving end is it stripped of.
and the packet is decrypted for the client.
—Key types.
Symmetric keys are the same on each side //very fast. Also called Shared Secret.
Assametric keys are different on each side //more cpu usage, more secure.
—Diffy Helmin
Each router has a private and a public key (Assemetric)
The public key is exchanged and a shared key generated at each router.
The new shared key is then used for the session, shared keys are better because
they use less cpu utilization than using the same shared key for each packet.
The private key can then be used to decrypt, incoming packets.
The VPN will tear down by a deafult of 4mb or 80000 seconds.
—NAT extendable
If you have the same source IP twice to different sources,
You must use the extendable syntax to allow multiple references.
ip nat inside source static tcp 10.151.16.48 80 203.113.200.79 80 extendable
ip nat inside source static tcp 10.151.16.48 443 203.113.200.79 443 extendable
—Authentication
Metheods, Username + psw, Biometric, pre-shared keys, One time password.
Authenication, will also tie to a specific ip address.
If the ip address and password are not the same the connection will not happen.
—Certificates
Certificates are used to easy cycle preshared keys on an interval.
Its a way of confirming that a router should trust another router.
This is called PKI (Public key infrastructure)
2 ways to get your certificated. SCEP
manual -> Need to go to server and approve the recieving of cert
pre-shared key -> Auto recieve certificate from CA.
X.509 = Cerficate standard (contains router signature, CA signature, public key)
PKCS#7 = part of the cert that is signed by the CA cert.
PKCS#10 = Request for another certificate
—–VPN concepts.
A VPN is really a tunnel within a tunnel.
AH – Authentication header no encryption
ESP – Encapsulation security payload. Does encryption.
//Defining your “interesting traffic” Which traffic will take the VPN route
Uses an access list.Must be the same on each side of the tunnel.
That way internet does not use the tunnel.
If the receiving packet along a vpn tunnel is not encrypted the packet is dropped.
This may be an ip spoofing attack.
//IKE(Internet key exchange) Phase 1. Exchange Keys securely.
Keys dynamically change.
There is a list of Policies on each router,
Policy1-through-x. It will go down the list and attempt to find a policy that has settings
that can be used on both sides, like DH, AES, DES
//IKE Phase 2. Encrypt.using key recieved.
Generates the symetric keys, called the transform set.
//Data Transfer
//VPN teardown. after timeout it closes.
after set amount of time/data.
break vpn regenerate new assymetric
—VPN configuration. Site-to-Site VPN
//debug a tunnel forming, check the attributes are acceptable.
debug crypto isakmp
debug cryto ipsec
//Check tunnel status.IDLE means its up
show crypto isakmp sa //IKE phase 1 tunnel. Until traffic is sent no tunnel
show crypto ipsec sa //IKE phase 2 tunnel. Until traffic is sent no tunnel
show isakmp policy <number>
show run | Section crypto
show crypto map // see phase 2 information